No-cause threats and Default TW

[mike1813]

Some threats, usually representing normal operations or the side effects of controls, have no causes that could depend on other threats. For example:

• the 'threat' representing switching on a Physical Host (H.IS.PH.8) will happen without primary or secondary causes unless prevented by a disablement control strategy
• the threat representing loss of availability due to disablement (H.A.H.6.1) will happen without primary or secondary causes if the triggering control strategy is enabled

Spyderisk system-modeller was not able to handle such 'no cause' threats, so domain modellers had to introduce a 'fake' TW attribute to act as a primary cause. In most cases, the attribute DefaultTW is used. The default TW level for these attributes must be zero.

The presence of such 'artificial' causes is confusing for users. Threat likelihood calculation does not require them, but it is unclear whether the system-modeller cause-and-effect relationship detection or subsequent threat path analysis may require having at least one primary or secondary cause. See system-modeller issue #120.

It makes sense to create a branch in which H.IS.PH.8 and H.A.H.6.1 are formulated as no-cause threats, just to see what happens, and to provide a test case for system-modeller developers should system-modeller issue #120 require changes to system-modeller itself.

Once system-modeller is able to handle this domain model branch, other threats should be converted to no-cause threats, allowing the artificial TW attribute Default TW (and possibly some others) to be eliminated.

[mike1813]

Created a test case for this change, comprising a simple client-service relationship, in which the client and service hosts are both connected to the Internet, and the client updates data stored on the service host. Non-negligible impact levels are set for loss of authenticity, confidentiality and timeliness at the data.

The only controls set initially are in modelling error CSGs: indicating that the hosts have no managers, the data is impersonal and physical attacks from the World should be ignored. This configuration is set up in Issue 95 Test - No Controls - Asserted.nq.gz. With no other controls this produces threat paths leading to the impactful data compromises.

To reduce those risks, one can disable the service host. The disablement control is assumed to represent a temporary situation, so this doesn't make the data unavailable - the stored copies are not gone with the host temporarily powered down. It does affect the timeliness of data, but the impact level for this is lower than other data breaches, so the risk level falls. This set up is captured by Issue 95 Test - Disabled Host - Asserted.nq.gz.

It should be possible to get the same results with H.IS.PH.8 and H.A.H.6.1 converted to no-cause threats.

This test case shows that there are some threat paths that should depend on the host being in service but do not. These are discussed separately in issue #96. They do not invalidate the use of this test case to test correctness of no-cause threats.

[mike1813]

Created a modified domain model, here attached.

domain-network-6a3-3-2-2-NoCauseThreats - unfiltered.zip

This is an 'unfiltered' domain model, which means all flags causing the system-modeller GUI to filter TWA and consequences are switched off, and construction state is not deleted. That may be helpful for development testing purposes.

This model includes two sets of changes:

• a first tranch of changes to address #96, included because they are relevant to the proposed test cases
• deletion of DefaultTW as a cause of the two threats H.IS.PH.8 and H.A.H.6.1.

A test revealed that the second change causes system-modeller to get the wrong likelihood for those threats. This is not what I expected - I expected problems with threat path calculations, not basic threat likelihood.

Because of this, only the first set of changes has been committed to branch 95 in GitHub.